BKGFF17 FFI Backgrounder 2016 ERM ERM2 v46...

MSU FFI Enterprise Risk Management to Food Fraud Prevention – a case study example (v46) © 2017 Michigan State University

Applying Enterprise Risk Management

to Food Fraud Prevention – Workings of ROI vs. Vulnerability, Risk to Vulnerability, and then a

case study example of a complex Food Fraud management system

By: MSU Food Fraud Initiative led by Dr. John Spink

Date: August 2017

1 Abstract/ExecutiveSummary

Background: Food fraud is illegal deception for economic gain using food. Over the last 10 years a series

of incidents has raised awareness and urgency in addressing food fraud including the focus on a

proactive prevention approach. This holistic and all‐encompassing approach includes specialized

methods to assess past incidents in the marketplace, review the fraud opportunity, conduct

assessments, connecting to enterprise‐wide decision‐making systems such as Enterprise Risk

Management, and refine internal control systems. Methods: This report builds upon previous food fraud

prevention and food fraud Enterprise Risk Management research to provide a case study example of a

complex food fraud management system. The case study was on the Kerry Group’s specific Global

Supply Quality Risk and Vulnerability Management and Governance system. Results: The report and

case study demonstrate how a holistic and all‐encompassing approach to food fraud prevention created

control systems and risk communication for an enterprise. Conclusion: The entire Food Fraud Prevention

Cycle provides a foundation for a rational and integrated approach that “connects everything to

everything.”

Keywords: Food Fraud, Enterprise Risk Management, Economically Motivated Adulteration, Risk

Assessment, Crime

FFI Report

Video: https://youtu.be/DVl_k‐7_NEw


PRELIMINARY STATEMENT ABOUT RISK TOLERANCE:

Before starting it is important to review the concept of “risk” and an “optimal level” that is

referred to as “risk tolerance” or “risk threshold.” Many Food Scientists and Food Safety

managers use the term “risk” to define an unacceptable or intolerable level. In Codex

Alimentarius (CODEX) this is “acceptable level of protection” or ALOP. More broadly –

including by statisticians, data scientists, and business decision‐makers – risks are not all bad;

it is usually inefficient or impractical to eliminate all risks. A company or agency that is

operating with too‐little risk is usually inefficient in meeting the overall objectives set by their

stakeholders. There are situations of “insufficient risk‐taking” that are the opposite of

“excessive risk‐taking.” To use US FDA terminology there are “hazards” and only some of

those are “hazards that require a preventive control.” From the Committee of the Sponsoring

Organizations of the Treadway Commission (COSO – a group of five top accounting for

financial professional associations that created the foundation for the Sarbanes‐Oxley Act

compliance):

“The Risk Assessment Process”

“Within the COSO ERM framework, risk assessment follows event identification

and precedes risk response. Its purpose is to assess how big the risks are, both

individually and collectively, in order to focus management’s attention on the

most important threats and opportunities, and to lay the groundwork for risk

response. Risk assessment is all about measuring and prioritizing risks so that

risk levels are managed within defined tolerance thresholds without being

over‐controlled or forgoing desirable opportunities.”[1]

In this report “risk” is separated from the concept of an “unacceptable risk” or a “hazard that

requires a preventive control.” This ALOP threshold could be referred to as an “optimal” level

of risk. Several important points are:

Not all vulnerabilities are risks

Not all risks are hazards

Not all hazards are the FSMA “hazards that require a preventive control”

Risk is not always bad but excessive risk‐taking is unacceptable.


2 Introduction This backgrounder was developed to review the application of Enterprise Risk Management (ERM) and

plotting the vulnerabilities on the related Risk Map or Risk Heat Map. Food fraud prevention is an

urgent food industry need due to a series of high profile and dangerous incidents that has caused

economic harm to markets and companies. There is an intense focus due to new requirements for laws,

regulations, standards and certifications. In addition, advances in authentication detection technology

and expanding methodologies – as well as generally more equipment conducting tests – have increased

the potential of identifying the fraud and the infringing company. The infringing company is often an

unwitting victim who inadvertently distributes the fraudulent product. There are new requirements for

conducting and documenting a Food Fraud Vulnerability Assessment and Food Fraud Prevention

Strategy but no guidance on “how much is enough?” One way to decide “how much is enough?” is to

apply an overall risk or vulnerability assessment system such as Enterprise Risk Management. (See the

appendix for more on the CODEX subject of “appropriate level of protection” [ALOP] and “Food Safety

Objective [FSO].”) The Committee of the Sponsoring Organization of the Treadway Commission (COSO)

has created “Internal Controls – Integrated Framework” that is presented in Enterprise Risk

Management (ERM). [2] A key aspect of ERM is the presentation of enterprise‐wide risks in one “Risk

Map.” This single map provides a method to review all risks in relation to all other risks – or that

“connects everything to everything.” ERM has begun to be mentioned in food fraud prevention

research and literature. The justification for this paper is to provide an application example of an

integrated system for food fraud prevention.

3 Background

3.1 FoodFraudPreventionOverview

3.1.1 FoodFrauddefinitionandscope

Food fraud – including sub‐category of the US‐centric term of Economically Motivated Adulteration,

EMA – is deception for economic gain using food. [3] This includes all types of fraud not just adulterant‐

substances and all types of products not just raw materials. This is a generally globally accepted

definition and scope. Specifically this is consistent with the Global Food Safety Initiative (GFSI) Guidance

Document Version 7 definition and scope which is:

Food Fraud: “A collective term encompassing the deliberate and intentional substitution,

addition, tampering or misrepresentation of food, food ingredients or food packaging, labelling,

product information or false or misleading statements made about a product for economic gain

that could impact consumer health.”[4]


The US Food Safety Modernization Act (FSMA) does not explicitly define food fraud or EMA, and

it is clear citing back to the Food Drug & Cosmetics Act of 1938 that all types of food fraud are illegal

(EMA was defined in a previous 2009 Federal Register published meeting invitation but not mentioned

or cited in FSMA). For FSMA, ALL hazards must be evaluated and then a determination of “hazards that

require a preventive control.” ALL hazards include those that are “economically motivated.”[5] To note,

as of May 2017, Codex Alimentarius (CODEX) has established an Electronic Working Group to review

related definitions and conduct a gap analysis of current Codex documents. [6] CODEX has a definition of

“contaminant” but not of “adulterant.” [7] To address all terms, CODEX defines “hazard” as “A

biological, chemical or physical agent in, or condition of, food with the potential to cause an adverse

health effect.” [7]

The types of food fraud expand beyond the narrow scope of only adulterant‐substances and

counterfeits (Table 1). The worst health hazards and largest economic losses are probably in adulterant‐

substances and counterfeits, but catastrophic food fraud incidents can occur in any type of fraud. With

some variation in the exact phrases used, generally the full range of food fraud includes adulterant‐

substances (dilution, substitution, concealment, and unapproved enhancements), tampering

(mislabeling), over‐runs/ unauthorized production, theft, diversion (gray market, parallel trade), and

counterfeiting. [3, 4, 8, 9]

The Food Risk Matrix helps define the differences between Food Fraud, Food Quality, Food

Safety, and Food Defense (see Figure 1).[3, 11] It is important to assign accountability to both be sure

the incident is addressed and to apply the most efficient countermeasure or control system for the

specific type.


Table 1: Food Fraud Types, Definitions, and Examples (adapted from [3, 4, 8‐10]) GFSI Type of Food Fraud

Definition (from SSAFE) Examples (from GFSI Food Fraud Think Tank)

General Type of Food Fraud (From Spink & Moyer, 2011)

Dilution

The process of mixing a liquid ingredient with high value with a liquid of lower value.

Watered down products using non‐potable / unsafe water

Olive oil diluted with potentially toxic tea tree oil

Adulterant‐substance (Adulterant)

Substitution

The process of replacing an ingredient or part of the product of high value with another ingredient or part of the product of lower value.

Sunflower oil partially substituted with mineral oil

Hydrolyzed leather protein in milk

Adulterant‐substance or Tampering

Concealment

The process of hiding the low quality of a food ingredients or product.

Poultry injected with hormones to conceal disease

Harmful food colouring applied to fresh fruit to cover defects


Unapproved enhancements

The process of adding unknown and undeclared materials to food products in order to enhance their quality attributes.

Melamine added to enhance protein value

Use of unauthorized additives (Sudan dyes in spices)


Mislabelling

The process of placing false claims on packaging for economic gain.

Expiry, provenance (unsafe origin)

Toxic Japanese star anise labeled as Chinese star anise

Mislabeled recycled cooking oil

Tampering

Grey market production/ theft/diversion

outside scope of SSAFE tool Sale of excess unreported product

Over‐run, Theft, or Diversion (1)

Counterfeiting

The process of copying the brand name, packaging concept, recipe, processing method etc. of food products for economic gain.

Copies of popular foods not produced with acceptable safety assurances

Counterfeiting

Note (1): Gray Market ‐‐ a market employing irregular but not illegal methods; Theft ‐‐ something stolen; Diversion/ Parallel Trade ‐‐ the act or an instance of diverting or straying from a course, activity, or use (Spink & Moyer, 2011)


Figure 1: The Food Risk Matrix [3, 10]

Overall, Food Fraud can occur

anywhere in the food supply chain

including the raw materials (1),

manufacturing (2), and finished goods

(3); outside the direct control but

overseen by brand owner legal

functions of the activities of technology

transfer and contract manufacturing

(4); and as well as completely outside

of the legitimate supply chain (5) (see

Figure 2). The most controlled practice

is once raw materials are received in manufacturing or within the four walls of the facility until the initial

shipment of finished goods. This has been discussed in food fraud research such as the SSAFE

organization. They state “Along this dimension of environmental layers [from internal operations

through tiers or suppliers], the company’s ability to manage opportunities and motivations decreases.

Similarly, the company’s ability to obtain reliable data on the elements “Opportunities,” “Motivations,”

and “Mitigation Measures”

decreases along the axis [also

from internal operation through

tiers or suppliers].” [8] Outside

this center there is less

transparency of the supply chain.

Figure 2: Food Supply Chain

Parts including Focus Areas for

Ingredient Suppliers, Brand

Owners, and Retailers [12]

Action

Intentional Unintentional

Harm:

Public Health,

Economic, or Terror

Food

Defense

Food

Safety

Motivation

Gain:

Economic

Food

Fraud(1)

Food

Quality


3.1.2 RiskandVulnerabilityOverview

While this may seem a purely academic debate or extraneous point, there is a history of separately

applying “risk” and “vulnerability” concepts, for example in Criminology. Since the 1970’s there has been

a focus on “crime prevention” (e.g., Environmental Criminology – the study of the space of crime) in

addition to penalties and reforming (e.g., Traditional Criminology – the study of the criminal). The

prevention focus considers information from previous and new incidents but shifts to focus on the

vulnerabilities. To efficiently address food fraud prevention there is also a need to shift from risk to

vulnerability and mitigation to prevention. [13]

Before reviewing the Criminology based countermeasures and control systems it is important to

review the terminology. These definitions are from a recent scholarly journal article that was research

into the use of the terms. [13]

The concerns are characterized: [13]

Risk: “…is an uncertainty of an outcome that is assessed in terms of likelihood and consequence (ISO, 2007a; NIST, 2002; CNSSI, 2010; DHS, 2013). Often the consequence is sub‐divided into other factors such as onset, severity, or other. Risk is a based on factors of the probability of the threat and the susceptibility from vulnerability (NRC, 2009). In other applications it is an unwanted outcome (DHS, 2008, Codex Alimentarius, 2014, 21 CFR 50 (A) (.3) (k), Merriam‐Webster, 2004).”

Vulnerability: “…is a weakness or flaw that creates opportunities for undesirable events related to the system (“system design”) (ISO, 2007a; ISO 2002; ISO, 2012; DHS, 2013; NIST, 2011; CNSSI, 2010; NRC, 2009; COSO 2014; Merriam‐Webster, 2004).”

Also, the response is characterized: [13]

Mitigation: “…is intended to reduce the consequence of the event (ISO, 2007a; ISO, 2007; ISO, 2007b; DHS, 2013; Merriam‐Webster, 2004). This assumes the hazard event will occur so the goal is to mitigate or reduce the negative consequence. This focuses on reducing the risk that cannot be eliminated.”

Prevention: “…is intended to reduce or eliminate the likelihood of the event occurring (ISO, 2007; ISO, 2007a; ISO, 2007b; ISO, 2008; Merriam‐Webster, 2004). This focuses on identifying and eliminating or reducing vulnerability.”

Building upon these definitions the application to food fraud is characterized: [13]

Food fraud vulnerability: ”…is the susceptibility of a system to food fraud (e.g., milk is not tested for adulterants such as water).”

Food fraud threat: “…is the cause of a food fraud event (e.g., a criminal could dilute milk with water and then sell to a deceived customer”).

Food fraud risk: “…is the combined likelihood and consequence e that considers the threat and vulnerability of food fraud. This is a function of the vulnerability and threat (e.g., an estimate of the likelihood and consequence of milk diluted with water, sold to a deceived customer”)

While these terms may or may not be consistent with use in an organization they at least create a

common starting point. These definitions help create a common foundation and helps further in

differentiating food fraud vulnerability assessment to traditional food safety risk assessment or food

fraud prevention from food defense.


3.1.3 EnterpriseRiskManagement(ERM)

The new or evolving risk should be reviewed in relation to all other risks across the enterprise. While a

“risk threshold” may be established there is a need to convert a range of concerns into one common

assessment method. A method that is already widely implemented is Enterprise Risk Management

(ERM) – or ERM‐like system‐wide internal controls and integrated framework. Once a risk is identified

and assessed it is important to support the “resource‐allocation decision‐maker” (Usually referred to as

the “decision‐maker” but for emphasis the full term is used throughout this paper).

From COSO/ERM:

“Internal Controls: A process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: effective and efficiency of operations, reliability in financial reporting, and compliance with applicable laws and regulations. An internal control system is a synonym for internal controls applied in an entity.” [14]

“Integrated frameworks: Are defined as interconnectivity of internal controls to coordinate operations as well as provide an overall monitoring and calibrating system.” [14]

Also, related definitions include: [14]

“Inherent risk – the risk to an entity in the absence of any actions management might take to alter either the risk’s likelihood or impact.”

“Residual risk – the remaining risk after management has taken action to alter the risk’s likelihood or impact.”

“Risk appetite – the board‐based amount of risk a company or other entity is willing to accept in pursuit of its mission (or a vision).”

“Risk tolerance – the acceptable variation relative to the achievement of an objective.”

ERM was developed by the Committee of the Sponsoring Organizations of the Treadway

Commission (COSO), which was created to support compliance with the Sarbanes‐Oxley Act of 2002.

ERM provides a way to assess, manage, and communicate ALL risks or vulnerabilities and communicate

to the Board of Directors or senior management and stakeholders. Through a variety of methods the

risks or vulnerabilities are presented on an enterprise‐wide “risk matrix” (Figure 5). In that risk matrix

there is essentially an optimal boundary between acceptable and unacceptable risks which is referred to

as a risk threshold, risk tolerance, or risk appetite. [1, 15] Sarbanes‐Oxley requires the Board of Directors

– including the CEO/CFO and the corporate auditor – to sign a legal regulatory document confirming that

the Corporate Annual Report confirms all risk are within the threshold or disclosed.

The legal regulatory document required in the US by the U.S. Securities and Exchange Commission

document referred to as an annual submission referred as a “10‐k form” and a quarterly submission

which is a “10‐Q form” (see Figure 3). [16] The submission includes personal signed statements by the

CEO and CFO for both the 10‐Q form and for Sarbanes‐Oxley compliance (sees Figure 4). They are legal

and formal statements publically available that are the base for required corporate “annual report to

shareholders.”


Figure 3: Example of a Quarterly Submission 10‐Q Form[16]

Figure 4: Signed Sarbanes‐Oxley Compliance from the CEO[16]

These acts and documents require the stakeholders to define the risk appetite as it fits to the

company and may vary from one company to another (where a “medium” may be very different for

different companies). For example, the tolerance for a product failure could be different for a toy

airplane than for a passenger airplane. If a toy plane crashes there is very little risk of a loss‐of‐life –

actually it is probably expected that a toy plane will eventually break during regular operations. Even a

“near‐miss” would be absolutely unacceptable for a passenger airplane.

The risk map for a company that is under control would report all risks as within the risk threshold.

An ideal state would be for a balance of all activities to be managed to just under the risk (Figure 6).


Figure 5: Example of a Risk Map with a Range of Risks or Vulnerabilities above and below the Risk Threshold (This could be raw material and product categories or specific stock‐keeping‐units)

Figure 6: Example of a Risk Map with a Range of Risks or Vulnerabilities managed to just below the Risk Threshold

Theoretically the company with their risks positioned just below their risk appetite would both be

operating under a risk‐controlled environment and also maximizing their shareholder return (it is

assumed that increasing the risk will provide an opportunity for a greater financial reward). A key point

is that the scenario with the incidents clustered within the risk tolerance is still in compliance with

specified guidelines. Without an ERM‐type system and a risk map then increasing risk is hazard and

potentially dangerous and even to the point of catastrophic for the brand or company.

Using ERM could allow an increase in the overall risk that is still within the risk tolerance. When

considering the Food Fraud Prevention Strategy decision‐making questions include:

How do you know your operations are too risky or overly conservative?

Do you have a method for determining how much risk is “too much”?

Is this risk assessed in relation to other enterprise‐wide risks?

The integrated ERM‐type system also identifies where there might be increased – or decreased

– costs at the risk threshold. For instance, a loosening supply chain with excess product may lead to

lower commodity prices. In this market the “risk tolerance” could be decreased (e.g., stricter) and still

maintain the current cost of goods. A tightening supply or reduced availability may create higher cost of

goods where at some point it might be economical to change the formulation (e.g., a different more or

less expensive type of fish or seafood), change a process (e.g., buy a whole fish rather than skinless

fillets that are harder to confirm the species), for the enterprise to modify the risk tolerance (e.g., to

accept the company tolerates more risk or increase insurance level), to raise the price of the end‐


product (e.g., to maintain the margin), or to exit the business (e.g., stop manufacturing fish). Also, by

coordinating the activities and using enterprise risk management type processes this information can be

directly incorporated in the resource‐allocation decision‐making processes.

3.2 FoodFraudPreventionCycle(FFPC)To support resource‐allocation decision‐making it is important to provide a complete cycle that supports

the entire process. The Food Fraud Prevention Cycle (FFPC) provides a complete process including

gathering information, assessing the fraud opportunity, conducting an initial screening that considers

countermeasures and is calibrated with the ERM Risk Map. Then after review by the resource‐allocation

decision‐makers a follow‐up review may take place including a more detailed vulnerability assessment

(Figure 7).

Figure 7: Food Fraud Prevention Cycle Example from Organizing New Information through Enterprise Risk Management to Countermeasures and Review [3, 10]

The cycle and assessment is required by several food safety management standards to be updated at

least annually or as the risk assessors identify new information. This cycle is critical to explain how the

countermeasures and control systems link to the risk map.


3.3 ApplicationoftheConceptsBefore presenting the Case Study there two important concepts to review which are:

(1) “ROI” versus “ERM” which includes vulnerabilities and

(2) Using the risk map to review shifting vulnerabilities.

3.3.1 Application:TheInefficiencyofusing“Return‐on‐Investment”(ROI)versusERMVulnerability

While every expenditure is intended to provide a “value” to a business – a “return” if you will –

addressing operations or risks is not a typical earnings focused return‐on‐investment or “ROI” (See the

Appendix for a more detailed discussion). [17] The key for food fraud resource‐allocation decision‐

making is that the operational cost will be compared to another proposal that may directly increase

sales or corporate earnings. The reduction of a cost is a “return” but it is not directly an “increase in

earnings.” Before discussing the application in more detail it is important to review the basic concepts.

Board of Directors or C‐Suite focus is more on income (e.g., operating income or net income)

which is offset by costs including cost of goods and then “selling, general and administrative expenses

(SG&A). SG&A includes interest on borrowing or cash, sales and marketing, salary and wages, repair and

maintenance costs, and management of the business such as controlling risks. [18] Profit can be

increased by increasing revenue or decreasing costs. Controlling risk is a variation that is reducing the

chance that an event could lead to a cost in the future. The “return” is unknown and undefined.

CFOs – usually Certified Public Accounts (CPA) – are methodical and apply terms and concepts

precisely. A CFO/CPA would consider ROI to be “increase in earning” divided by “cost.” Reducing a cost

(e.g., lost cost of goods for an equipment leak) or reducing a risk or potential of a cost (e.g., adding a

hologram to reduce counterfeiting) is “reduced loss of earnings” and not directly “increased earnings.”

While the definition or direct application of “earnings” is debated a key application is how

competing resource‐allocation decisions are defended. Consider three scenarios (Table 2):


Table 2: Typical Evaluation of ROI Assessment for General Business Examples including Payback Period and ROI at 12 Months Scenarios Direct

Increase in Earnings (Y/N)

Confidence in Realized

Value

Payback Period

Return after Investment

(Y/N)

ROI at 12 months

ROI from 24 to 36 months

(1) add two new sales representatives to a new product in a market that is 25% annual growth rate (AGR) (consider expenditure of $300k per year and increased profit of $1 million after 12 months)

Yes High 1 year Yes –keep selling and growing

2.33

($1m‐$300k)/ $300k

5.67

($2m‐$300k)/ $300k

(2) fix a manufacturing equipment leak that is leaking $10,000 worth of product per year or (consider expenditures of $20,000 to reduced cost of goods of $10,000 per year)

No – reduce actual costs

High 2 years No – reduces future losses

0.5

($20k‐10k/ $20k)

0.0

($0/$0)

(3) not legally mandated species authentication tests on incoming raw materials that are defined to have a “high” food fraud vulnerability rank (consider $150k in additional testing costs with an undefined reduced annual cost of loss)

No – reduce the possibility of a loss

Low Undefined UNKNOWN – enterprise is

“less vulnerable”

UNKNOWN (Unknown/ $150k)

Still UNKNOWN

The conclusion is that considering these ROI examples,

Scenario 1 would be the highest confidence expenditure which would include ongoing

increased earnings from the sales growth,

Scenario 2 would be a pay‐out project if there is cash‐flow this year to invest in 2‐year

payback, and

Scenario 3 may be very important and valuable but with much lower confidence than the

first two.

For a problem such as food fraud it is much simpler and more direct to frame the proposals in

Enterprise Risk Management terms and using the Risk Map. Another option is to frame the problem in

terms of “vulnerability” and Enterprise Risk Management. If a risk is in the “unacceptable” range the

question is not “if” it should be reduced but “how.” The assessment should be the comparison of the


specific vulnerability reducing proposals to address this problem – not compared to fixing the leaking

machine or hiring the sales representatives. These scenarios present the challenge of using ROI for food

fraud countermeasures or control systems

3.3.2 Application:UsingtheERMRiskMaptoreviewShiftingVulnerabilities

To demonstrate the use of ERM and a Risk Map a series of proposals are provided. The action is noted

and defined. The risk is explained in terms of likelihood and consequence. A result is defined. By plotting

the current and future state on the Risk Map – using Enterprise Risk Management principles of on an

initial screening or vulnerability assessment – there is clarity for resource‐allocation decision‐making

(Table 3 and Figure 8).

Table 3: Details of Shifting Vulnerabilities that are Plotted on a Risk Map

Actions Detail Decision Result

A to B Reduce Food Fraud Prevention budget by $1M

No The change is defined to be an unacceptable option since the enterprise‐wide vulnerability shift to an unacceptable situation above the risk tolerance.

C to D A lot less of “Action 1” YES Even though there is a reduction is activity the resulting situation is still within risk tolerance.

E to F More of “Test 3” YES Conducting more of this activity reduces the vulnerability to below the risk threshold.

Figure 8: Risk Map presenting the

Shifting Vulnerabilities from the

Examples

By presenting vulnerabilities on the Risk

map there is a clear identification –

regardless of “ROI” – of the impact of

shifting vulnerabilities. The risk appetite is

set by the Board of Directors managed by

the corporate officers (“C‐suite” which is

led by the CEO and CFO). Regardless of ROI, the threshold identifies the point where the vulnerabilities

are too risky for this business. Using ERM‐like concepts and the risk map supports resource‐allocation

decision‐making.


4 CASESTUDY–KerryGlobalSupplyQualityA case study was created to demonstrate the application of enterprise risk management in food fraud

prevention. The paper reviews a risk management process implemented by their Global Supply Quality

team to support Kerry Group’s initiatives.

4.1 OverviewofKerryGroupandGlobalQualitySupplyTeamTo provide a case study of applying ERM in food fraud prevention, a review of the Kerry Global Supply

Quality process was conducted. Kerry Group is a $15 billion market value company and their $6.1 billion

revenue. [19] Their business is 80% food, beverage, and pharmaceutical ingredients and 20% consumer

branded foods. [20] Their annual report states a profitability of 85% for ingredients and 14% for

consumer goods. They have a revenue growth of 10 percent per year over the previous thirty years.

They have 23,000 employees at 130 production facilities spread around the world. Kerry has range of

suppliers and customers that demonstrate impact and influence up and down the supply chain.

The Kerry Global Supply Quality team developed the Supply Quality Risk and Vulnerability

Management and Governance system in partnership with key stakeholders and has been publically

shared with industry partners, peers, and customers. The overall goal of the system is to protect the

quality of Kerry products and increase consumer confidence in their supply chain. The objective is to

identify, manage, and coordinate a series of business processes that meet the goal as well as control

operational costs including cost of goods within the low optimal/ unacceptable risk level set by the

stakeholders similar to the risk map outlined in Figure 8. By tightening and controlling their supply chain

this type of system is intended to increase customer confidence in their products, reduce the cost

associated with recalls, and that the increased the quality and reduced vulnerability may increase the

value of their products.

The system has helped Kerry Supply Quality tem manage the introduction of new suppliers from

acquisitions and increasing complexity in their supply chain.

4.2 ScopeofReview:RawMaterialsintoManufacturingThe scope of this review included management of incoming raw materials into the manufacturing

process. This included all types of food fraud with a focus on “adulterant‐substances” (e.g., adulterants).

Other downstream processes manage the product into Kerry manufacturing facilities, storage and

distribution, and then to market monitor for marketplace fraud including stolen goods, counterfeits,

sub‐standard products, tampered products, and others. There is an overall, enterprise‐wide system that

managed operations to the under the low optimal/ unacceptable risk level set by the stakeholders

similar to the concept in Figure 8.


4.3 GlobalSupplyQualityBusinessProcessThe effort by Kerry was to enable and create a system that “connects everything to everything.” The risk

assessments, audits, insights (horizon scanning), concerns, and warnings were integrated into an

automated and linked information management system. The activities are linked within the SAP

information technology platform architecture. The information can be exported to a business

intelligence report to support additional analysis. The training programs and e‐learning academy

include several statements such as “The more transparent and reproducible the more habit forming we

create” and “Embedding one way of working.”[21] Ultimately this automated system was necessary to

manage the supply base complexity and high growth business. The system was created for “governance,

continuous improvement, and to support fact based decisions.”

4.4 TheSystemThis section reviews the Kerry Global Supply Quality system for Supplier Quality Risk and Vulnerability

Management and Governance (Table 4 and Figure 10). This demonstrates how the separate activities

are linked and coordinated.

The system used by Global Supply Quality has three main components of (Figure 9):

1. Supply Quality Business Processes,

2. Supplier Quality Governance Review, and

3. Food Safety Risk and Vulnerability Management.

Figure 9: Depiction of the

Relationship between the

key functions of Business

Process, Governance

Review, and the combined

Vulnerability Management

The “Food Safety Risk”

focuses on food safety non‐

conformance and health

hazards while the

“Vulnerability Management” focuses on food fraud. For efficiency and reproducibility, it is a key point

that quality, safety, and fraud are integrated into the same “food” assessment and management system.

Food Defense – intentional acts with the intent for public health harm – is addressed in a separate

system since the assessments and countermeasures are very different. “Supply Quality Organization

Business Processes” focus on coordination and management of the suppliers and raw materials

supplied. “Supply Quality Governance Review” focuses on analysis of information and coordination of

Food safety Risk and

Vulnerability Management

Supply Quality Business Processes

Supplier Quality

Governance Review


the decision‐making process. Finally, “Risk and Vulnerability Management” focuses on trend

coordination globally and management of the risk and vulnerability as well as integrates the mitigation

plan and actions to support all functions concerned.

Table 4: The Global Supply Quality System – Summary Review [21]

Key Process Function Action: Each key activity or process can “delink” or stop all products from moving through the supply chain

1. Supply Quality Business Processes Actions: Coordination and management of the suppliers and raw materials supplied

1A. New Vendor Set‐up down to supplier’s manufacturing facilities (MDM Workflow, SAP‐PIR [VIR]) Action: based on site of manufacture by supplier, begins process control

1B. Audit Request Action: Cross‐functional (Purchasing, Site Quality, Master Data Management and Supply Quality) workflow, approval process and maintenance for accountability and transparency

1C. Information Management (MyKerry GSQ SharePoint, Learning Academy) Action: Integrated information architecture and system management including learning and development programs

1D. Supplier Verification Action: Risk‐based audits and audit planning guide, Integrated processes in SAP including vendor‐site of manufacture‐raw material SKU‐purchasing organization linkages and business intelligence report, Global Raw Material Specifications, Supplier Development Tracker (aligned with GFSI global market program), Global Raw Material Surveillance Monitoring program for both food safety and food fraud

2. Supply quality Governance Review Action: Analysis of information and coordination of decision‐making process

2A. Horizon Scanning (External Factor) Action: External review emerging food safety issues in the market (e.g. the “fraud opportunity”)

2B. Food Fraud (External Factor) Action: Assessment of emerging issues that can potentially be economically‐driven (food fraud)

2C. Raw Material Non‐Conformance (Internal Factor) Action: Consolidation and trend analysis of raw material non‐conformances globally that support data and fact based decisions

2D. Kerry Audit Trends (CAPAs) (Internal Factor) Action: Embedded qualitative audit results that support data and fact based decisions

3. Risk and Vulnerability Management (Risk Assessment, Food Fraud Vulnerability Assessment) Action: Coordinate and manage the risk and vulnerability, integrates mitigation and preventive plan and actions to support all functions concerned

4. Enterprise Risk Management Assessment (Determining rank for Likelihood and Consequence from “very high” to “very low”)

5. Risk map (Plotting the risks in relation to all other enterprise risks)


Figure 10: Kerry Global Supply Quality system for Supply Quality Risk and Vulnerability Management and Governance (copyright permission granted from the rights holder)

4.5 Theresourceallocationdecision‐makingprocessThe system has a built‐in risk assessment function in steps are abbreviated in this report as “3A” and

“3B.” These are calibrated by the enterprise‐wide assessment in “4” and presented on the Risk Map in

“5.” The system only allows approved suppliers and products.


5 ConclusionandCalltoAction

Food fraud is becoming an autonomous concept that has developed a unique set of terminology,

methods, countermeasures and control systems. Food fraud prevention is being developed and

integrates into current system such as quality management (e.g., HACCP, HARPC or a total quality

management [TQM] system such as Six Sigma) and business resource‐allocation decision‐making (e.g.,

ERM). Implementing food fraud internal controls must be addressed for a range of compliance

requirements including food laws, financial reporting requirements, industry standards, and generally

competently managing a business.

After establishing an enterprise‐wide commitment to uniquely addressing food fraud, it is

important to put a process in place to address all types of food fraud (from adulterant‐substances to

stolen goods and counterfeits) and for all products (raw materials to finished goods in the market). An

example of the assessment system was provided in the case study of the Kerry Global Supply Quality

Risk Management and Governance. Those types of assessments should connect into a central over‐

arching system that “connects everything to everything.”

Beyond the efficiency and simplicity of plotting the food fraud vulnerabilities on a Risk Map

there is great value in using this to defend resource‐allocation. A typical Food fraud Vulnerability

Assessment provides a general ranking of “high/ medium/ low.” This ranking is based on general expert

insight of the creators of the assessment or of the risk assessors. Without additional adaption or

calibration this risk rank is not correlated to any competing risks. Different risks cannot be directly

compared. Without direct comparison there is no analytical or quantitative method for resource‐

allocation decision‐making.

The MSU Food Fraud Initiative Report series provides a range of insights that help with food

fraud prevention assessment and implementation. The first steps can and should be small and simple.

The next steps are determined by the resource‐allocation decision‐maker need for information or

responses. This ERM Application report provides deeper insight on enterprise‐wide assessments and

provided a case study example of a complex food fraud prevention Strategy system.


6 Afterword

6.1 AbouttheAuthorsJohn Spink, PhD, is the Director of the Food Fraud Initiative (FFI) within the College of Veterinary

Medicine (CVM) at Michigan State University (MSU). This report is part of the MSU Food Fraud Initiative

Report (FFIR) series. www.FoodFraud.msu.edu.

6.2 AcknowledgmentThis paper was supported by Kerry’s Global Supply Quality team’s program, case studies and

vendor management requirements. Link to Kerry Group: http://www.kerrygroup.com/

7 Appendix

7.1 ReviewofROR,ROIandRelatedAssessmentsA typical ROI formula is: [22]

Formula #: Return on Investment (ROI) ROI = Earnings (increase in revenue – cost) / Investment

An expanded version uses emphasis on increased sales:

Formula #: Expanded Form of ROI Computation: ROI = Margin (return on sales = Earnings / Sales)

* Turnover (dollars of sales generated by each dollar of investment = Sales/ Investment)

An even more detailed version expands to the impact on firm equity: [23]

Formula #: Expanded Form of ROI which Emphasizes Impact on Firm Equity Return on Equity = Profit / Sales * Sales/ Assets * Assets/ Equity From another angle is the consideration of the increase in profit or rate of return. “Let us think for a

moment about how profitability should be measured in principle. It is easy enough to compute the true,

or economic, rate of return for a common stock that is continuously traded.” [24]

Formula: Rate of Return that focuses on Stock Price

Rate or Return =

Cash Receipts (revenue) + Change in price (stock)

/

Beginning price (stock)

This is closely tied to Economic Value Added (EVA) which is an assessment of the performance of the

entire company. “The profit after deducting all costs, including the cost of capital, is called a company’s

economic value added or EVA.” [24]

Formula #: Economic Value Added (EVA)


After‐tax interest + Net income

‐

Cost of capital x Total capital

While these have their benefits and limitations another option is the widely‐adopted “DuPont

System.”[24] “The breakdown of [Return on Assets] into the product of turnover and margin is often

called the DuPont formula, after the chemical company that popularized the formula.

Formula: The DuPont System Formula

Return on Assets =

Sales / Assets

*

After‐tax interest + Net income / Sales

The key point for product fraud countermeasures and control systems is that the resource‐allocation

decision‐makers are focusing on high level assessments that address the valuation of the corporation. If

a risk reduction presentation is submitted as a straight “ROI” proposal it will have a very indirect,

uncertain and complicated contribution.

7.2 AcceptableLevelofProtection(ALOP)andFoodSafetyObjective(FSO)Before moving on to fully reviewing the research question it is important to review the threshold of

“acceptable” and “unacceptable.” CODEX defines a “Food Safety Objective (FSO)” which is “The

maximum frequency and/or concentration of a hazard in a food at the time of consumption that

provides or contributes to the acceptable level of protection (ALOP). [7] In a presentation representing

FDA, Dr. Robert Buchannan discussed ALOP. [25] “Often referred to as a risk management options

assessment, this is the process by which different options for controlling a hazard to an “acceptable level

of protection” (ALOP) are evaluated and compared.”[25] Also “Before discussing how risk assessment

techniques can be used it is important to emphasize that the establishment of an ALOP is not solely a

scientific question but involves the consideration of a variety of societal factors. A risk assessment will

not automatically establish a “safe” level, but instead provides the risk managers and other interested

parties with a means of discussing in a hopefully more objective manner the levels of safety (i.e., risk)

that currently exist in a system and the level of controls that would be achieved with further reductions

in the consumers’ exposure to the hazard.” [25] Further, the exact definition of acceptable has many

non‐scientific factors, for example, “The definition of a ‘‘reasonable’’ ALOP differs among countries, and

acceptable risk may be culturally defined. FSOs help translate the health risks associated with particular

hazards into goals that are more easily definable at the manufacturing level and across trade lines.” [26]


8 References1. COSO, Committee of Sponsoring Organizations of the Treadway Commission, Risk Assessment in

Practice ‐ Enterprise Risk Management. 2012, Committee of Sponsoring Organizations of the Treadway Commission, COSO.

2. COSO, Committee of the Sponsoring Organizations of the Treadway Commission, Internal Controls – Integrated Framework, URL: http://www.coso.org/documents/990025P_Executive_Summary_final_may20_e.pdf. 2013.

3. Spink, John and Douglas C Moyer, Defining the Public Health Threat of Food Fraud. Journal of Food Science, 2011. 76(9): p. R157‐162.

4. GFSI, Global Food Safety Initiative, Guidance Document, Benchmarking Document, Version 7, URL: http://www.theconsumergoodsforum.com/files/Publications/GFSI_Guidance_Document_Intro.pdf. 2017.

5. FSMA, Food Safety Modernization Act., Mitigation Strategies To Protect Food Against Intentional Adulteration (FSMA‐IA, Food Defense), Food and Drug Administration, Final rule, Federal Register, May 27 2016, URL: https://www.regulations.gov/document?D=FDA‐2013‐N‐1425‐0146. 2016.

6. CODEX CCFICS, Codex Alimentarious. Codex Committee on Food Import and Export Inspection and Certification Systems (CCFICS),. 2017; Available from: http://www.fao.org/fao‐who‐codexalimentarius/committees/committee‐detail/en/?committee=CCFICS.

7. Codex Alimentarius, CODEX, Procedural Manual, Twenty‐second edition, in World Health Organization/Food and Agriculture Organization of the United Nations, Geneva/Rome. 2014.

8. SSAFE Organization, Food Fraud Vulnerability Assessment Tool, (formerly : Safe Secure and Affordable Food For Everyone organization), December 16 2015, URL: http://www.ssafe‐food.org/. 2015.

9. GFSI, Global Food Safety Initiative, GFSI Position on Mitigating the Public Health Risk of Food Fraud. 2014, Global Food Safety Initiative, Consumer Goods Forum.

10. Spink, John, Neal D Fortin, Douglas C Moyer, Hong Miao, and Yongning Wu, Food Fraud Prevention: Policy, Strategy, and Decision‐Making–Implementation Steps for a Government Agency or Industry. CHIMIA International Journal for Chemistry, 2016. 70(5): p. 320‐328.

11. Spink, John, Global Counterfeit Food and Beverage Packaging: Impacts on Food Safety, in Association of Food and Drug Officials (AFDO), Annual Conference. 2007, AFDO: San Antonio, Texas.

12. Spink, J, Chapter: Supply Chain Vulnerabilities, Course: Food Fraud Managment Executive Education, Food Fraud Initiative, Michigan State University. 2014.

13. Spink, John, David Ortega, Chen Chen, and Felicia Wu, Food Fraud Prevention Shifts Food Risk Focus to Vulnerability Trends in Food Science & Technology, 2017. 00(00): p. 00‐00.

14. COSO, Committee of the Sponsoring Organizations of the Treadway Commission, COSO Enterprise Risk Management‐Integrated Framework Update, URL: http://www.coso.org/ermupdate.html. 2014.

15. COSO, Committee of Sponsoring Organizations of the Treadway Commission, Understanding and Communicating Risk Appetite, Edited by :Larry Rittenberg and Frank Martens, January 2012. 2012.

16. Kellogg Company, Form 10Q, Submitted to US Securities and Exchange Commission, Posted on EDGAR Company Filing website, URL:


https://www.sec.gov/Archives/edgar/data/55067/000162828017008104/k‐2017q210xq.htm. 2017.

17. FFI, Food Fraud Initiaive The Role of Enteprise Risk Management in Food Fraud Prevention, MSU FFIR. 2017.

18. Braun, KW and WM Tietz, Managerial Accounting, 4th Edition, Pearson Education Inc., NY. 2015. 19. Fortune Magazine, Fortune 500 Homepage, URL: http://beta.fortune.com/fortune500. 2016. 20. Group, Kerry, Kerry Overview, Kerry Group Introduction Presentation February 2017, URL:

http://www.kerrygroup.com/investors/kerry‐overview/. 2016. 21. Kerry Group, Global Supply Quality Busienss Process report. 2016. 22. Hermanson, Roger H, James D Edwards, and RF Salmonson, Accounting Principles. Second ed.

1983, Plano, Texas: Business Publications. 23. Bruner, Robert, Mark Eaker, R Edward Freeman, and Elisabeth Olmstead Teisberg, The Portable

MBA. Third ed. 1998, NYC, NY, USA: John Wiley & Sons. 24. Breadley, RA, CM Stewart, and A Franklin, Principles of Corporate Finance, 11thEdition, McGraw‐

Hill, ISBN 0‐07‐803476. 2014. 25. Buchanan, Robert, The Role of Quantitative Microbiological Risk Assessment in Risk

Management Options Assessment. Background paper for the Joint FAO/WHO Consultation held in Kiel, Germany on March, 2002: p. 18–22.

26. Anderson, NM, JW Larkin, MB Cole, GE Skinner, RC Whiting, LGM Gorris, A Rodriguez, R Buchanan, CM Stewart, and JH Hanlin, Food safety objective approach for controlling Clostridium botulinum growth and toxin production in commercially sterile foods. Journal of food protection, 2011. 74(11): p. 1956‐1989.

BKGFF17 FFI Backgrounder 2016 ERM ERM2 v46...

Documents

Transcript of BKGFF17 FFI Backgrounder 2016 ERM ERM2 v46...